FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Directory

 
 
LinkBack Thread Tools
 
Old 07-28-2012, 11:32 AM
Grzegorz Dwornicki
 
Default How to export CA certificate into client from server

On gmail i have option replay next to every email. If you are using email client look in docs for your client.

Your error mean that CN (common name) field of certificate is wrong. It should be FQDN of 389. You need to make new server cert.


Good Luck!

2012/7/28 fosiul alam <expertalert@gmail.com>

Hi
I am not getting reply by email, so i cant click on reply...
how will i get reply by email ??

@<arpittolani@gmail.com>

i think i have done something wrong* to create certs


I have used bellow script to create all the certificate :https://github.com/richm/scripts/blob/master/setupssl2.sh

now when i do this ,i get bellow error ..



ldapsearch -x -ZZ -D "cn=Directory manager" -w password -h ldap-2 -b "dc=fosiul,dc=lan"

ldap_start_tls: Connect error (-11)
*** additional info: TLS: hostname does not match CN in peer certificate



--

389 users mailing list

389-users@lists.fedoraproject.org

https://admin.fedoraproject.org/mailman/listinfo/389-users


--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 07-28-2012, 11:45 AM
fosiul alam
 
Default How to export CA certificate into client from server

Hi
thanks I understand i will have to start from scratch for certificate
.. but few explanation i need

My ldapserver host name is : ldap-2.fosiul.lan
and I just cn="Directory Manager"

so according to those info.. what shall i put in ,
dc=directory ???
and
cn=directory.example.com" ???

My server hostname or "Directory Manager"

# certutil -S -n "CA certificate" -s "cn=CA
cert,dc=directory,dc=example,dc=com" -2 -x -t "CT,," -m 1000 -v 720 -d . -k
rsa

Make sure you say yes to "Is this a CA certificate [y/N]?" and everything
else will be default.

Next we create your server cert. Make sure your cn is your FQDN of this
server.

# certutil -S -n "directory-Server-Cert" -s "cn=directory.example.com" -c
"CA certificate" -t "u,u,u" -m 1001 -v 720 -d . -k rsa

Thanks for your help .
Really appreciate ..
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 07-28-2012, 11:55 AM
Arpit Tolani
 
Default How to export CA certificate into client from server

Hie

On Sat, Jul 28, 2012 at 5:15 PM, fosiul alam <expertalert@gmail.com> wrote:

Hi

thanks I understand i will have to start from scratch for certificate

.. but few explanation i need



My ldapserver host name is : ldap-2.fosiul.lan

and I just cn="Directory Manager"



Try below.
# certutil -S -n "directory-Server-Cert" -s "cn=ldap-2.fosiul.lan" -c "CA certificate" -t "u,u,u" -m 1001 -v 720 -d . -k rsa
*

so according to those info.. what shall i put in ,

dc=directory ???

and

cn=directory.example.com" ???



My server hostname or "Directory Manager"



# certutil -S -n "CA certificate" -s "cn=CA

cert,dc=directory,dc=example,dc=com" -2 -x -t "CT,," -m 1000 -v 720 -d . -k

rsa



Make sure you say yes to "Is this a CA certificate [y/N]?" and everything

else will be default.



Next we create your server cert. Make sure your cn is your FQDN of this

server.



# certutil -S -n "directory-Server-Cert" -s "cn=directory.example.com" -c

"CA certificate" -t "u,u,u" -m 1001 -v 720 -d . -k rsa



Thanks for your help .

Really appreciate ..

--

389 users mailing list

389-users@lists.fedoraproject.org

https://admin.fedoraproject.org/mailman/listinfo/389-users
Regards
Arpit Tolani

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 07-28-2012, 12:13 PM
fosiul alam
 
Default How to export CA certificate into client from server

Hi Thanks


no i think its fine ..
I was trying with ldap-2 only
but when i use faqdn name its work
llike bellow
ldapsearch -x -ZZ -D "cn=Directory manager" -w password -h
ldap-2.fosiul.lan -b "dc=fosiul,dc=lan"
Which is returning all result ( if i try from server)
example (last few lines)
uid: falam
cn: Fosiul Alam
homeDirectory: /home/falam
userPassword:: NUR5T0Roa2FSU1pSR0RrSWNYYkVvYVU2V2c9PQ=
=
# search result
search: 3
result: 0 Success
# numResponses: 7

- Ignored:
# numEntries: 6

does it mean its ok ??

but when when i do : ( From ldap server)

[root@ldap-2 ~]# ldapsearch -x -ZZ '(uid=falam)'
# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: (uid=falam)
# requesting: ALL
#

# search result
search: 3
result: 0 Success

its not getting anything ..

what to do

Thanks for your help
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 07-28-2012, 12:18 PM
Grzegorz Dwornicki
 
Default How to export CA certificate into client from server

Does this user have uid=falam in its DN?


Tls works if that what you are asking.



28-07-2012 14:13, "fosiul alam" <expertalert@gmail.com> napisał(a):
Hi Thanks





┬* ┬* no i think its fine ..

┬* ┬* I was trying with ldap-2 only

┬* ┬* but when i use faqdn name ┬*its work

┬* ┬* llike bellow

┬* ┬* ldapsearch -x -ZZ -D "cn=Directory manager" -w password -h

┬* ┬* ldap-2.fosiul.lan -b "dc=fosiul,dc=lan"

┬* ┬* Which is returning all result ┬*( if i try from server)

┬* ┬* example (last few lines)

┬* ┬* uid: falam

┬* ┬* cn: Fosiul Alam

┬* ┬* homeDirectory: /home/falam

┬* ┬* userPassword:: NUR5T0Roa2FSU1pSR0RrSWNYYkVvYVU2V2c9PQ=

┬* ┬* ┬*=

┬* ┬* # search result

┬* ┬* search: 3

┬* ┬* result: 0 Success

┬* ┬* # numResponses: 7



- Ignored:

┬* ┬* # numEntries: 6



┬* ┬* does it mean its ok ??



┬* ┬* but when when i do : ┬*( From ldap server)



┬* ┬* [root@ldap-2 ~]# ldapsearch -x -ZZ '(uid=falam)'

┬* ┬* # extended LDIF

┬* ┬* #

┬* ┬* # LDAPv3

┬* ┬* # base <> with scope subtree

┬* ┬* # filter: (uid=falam)

┬* ┬* # requesting: ALL

┬* ┬* #



┬* ┬* # search result

┬* ┬* search: 3

┬* ┬* result: 0 Success



┬* ┬* its not getting anything ..



┬* ┬* what to do



Thanks for your help

--

389 users mailing list

389-users@lists.fedoraproject.org

https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 07-28-2012, 12:37 PM
fosiul alam
 
Default How to export CA certificate into client from server

Hi
I think i am very close to fix the issue
Please have a look to the bellow commands
I can do this from SErver or client ..
this result i get


root@home ~]# ldapsearch -x -ZZ -D "cn=Directory manager" -w xxxx -h
ldap-2.fosiul.lan -b "dc=fosiul,dc=lan"
# extended LDIF
#
# LDAPv3
# base <dc=fosiul,dc=lan> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# fosiul.lan
dn: dc=fosiul,dc=lan
dc: fosiul
objectClass: domain
objectClass: top

# uk, fosiul.lan
dn: l=uk,dc=fosiul,dc=lan
l: uk
objectClass: locality
objectClass: top

# groups, uk, fosiul.lan
dn: ou=groups,l=uk,dc=fosiul,dc=lan
objectClass: organizationalUnit
objectClass: top
ou: groups

# users, uk, fosiul.lan
dn: ou=users,l=uk,dc=fosiul,dc=lan
objectClass: organizationalUnit
objectClass: top
ou: users

# techops-uk, groups, uk, fosiul.lan
dn: cn=techops-uk,ou=groups,l=uk,dc=fosiul,dc=lan
gidNumber: 3000
objectClass: top
objectClass: groupofuniquenames
objectClass: posixgroup
cn: techops-uk

# falam, users, uk, fosiul.lan
dn: uid=falam,ou=users,l=uk,dc=fosiul,dc=lan
givenName: Fosiul
sn: Alam
loginShell: /bin/bash/bash
uidNumber: 1000
gidNumber: 3000
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: posixAccount
uid: falam
cn: Fosiul Alam
homeDirectory: /home/falam
userPassword:: e1NTSEF9UGtqNjhvazF1SFR0NUR5T0Roa2FSU1pSR0RrSWNYYk VvYVU2V2c9PQ=
=

# search result
search: 3
result: 0 Success

# numResponses: 7
# numEntries: 6


so falam is in LDAP

so from linux client or server
if i type

id falam



or ssh falam@ldap-2
it should accept the password
but i get this

[root@home ~]# id falam
id: falam: No such user

or

Jul 28 13:31:33 ldap-2 sshd[6071]: pam_succeed_if(sshd:auth): error
retrieving information about user falam
Jul 28 13:31:34 ldap-2 sshd[6071]: Failed password for invalid user
falam from 192.0.0.4 port 60072 ssh2

Please help with my last problem
thanks
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 07-28-2012, 12:42 PM
Arpit Tolani
 
Default How to export CA certificate into client from server

Hello

On Sat, Jul 28, 2012 at 6:07 PM, fosiul alam <expertalert@gmail.com> wrote:

Hi

I think i am very close *to fix the issue

Please have a look to the bellow commands

I can do this from SErver or client ..

this result i get





root@home ~]# ldapsearch -x -ZZ -D "cn=Directory manager" -w xxxx -h

ldap-2.fosiul.lan -b "dc=fosiul,dc=lan"

# extended LDIF

#

# LDAPv3

# base <dc=fosiul,dc=lan> with scope subtree

# filter: (objectclass=*)

# requesting: ALL

#



# fosiul.lan

dn: dc=fosiul,dc=lan

dc: fosiul

objectClass: domain

objectClass: top



# uk, fosiul.lan

dn: l=uk,dc=fosiul,dc=lan

l: uk

objectClass: locality

objectClass: top



# groups, uk, fosiul.lan

dn: ou=groups,l=uk,dc=fosiul,dc=lan

objectClass: organizationalUnit

objectClass: top

ou: groups



# users, uk, fosiul.lan

dn: ou=users,l=uk,dc=fosiul,dc=lan

objectClass: organizationalUnit

objectClass: top

ou: users



# techops-uk, groups, uk, fosiul.lan

dn: cn=techops-uk,ou=groups,l=uk,dc=fosiul,dc=lan

gidNumber: 3000

objectClass: top

objectClass: groupofuniquenames

objectClass: posixgroup

cn: techops-uk



# falam, users, uk, fosiul.lan

dn: uid=falam,ou=users,l=uk,dc=fosiul,dc=lan

givenName: Fosiul

sn: Alam

loginShell: /bin/bash/bash

uidNumber: 1000

gidNumber: 3000

objectClass: top

objectClass: person

objectClass: organizationalPerson

objectClass: inetorgperson

objectClass: posixAccount

uid: falam

cn: Fosiul Alam

homeDirectory: /home/falam

userPassword:: e1NTSEF9UGtqNjhvazF1SFR0NUR5T0Roa2FSU1pSR0RrSWNYYk VvYVU2V2c9PQ=

*=



# search result

search: 3

result: 0 Success



# numResponses: 7

# numEntries: 6





so falam is in LDAP



so from linux client or server

if i type



id falam







or ssh falam@ldap-2

it should accept the password

but i get this



[root@home ~]# id falam

id: falam: No such user



or



Jul 28 13:31:33 ldap-2 sshd[6071]: pam_succeed_if(sshd:auth): error

retrieving information about user falam

Jul 28 13:31:34 ldap-2 sshd[6071]: Failed password for invalid user

falam from 192.0.0.4 port 60072 ssh2



Is client a RHEL-5 or RHEL-6 ?

Do you want to use pam_sss.so or pam_ldap.so, Google them on internet for more info..

Could you come online on #389 Freenode channel, This will fasten the process.


Regards
Arpit Tolani
*


--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 

Thread Tools




All times are GMT. The time now is 09:44 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ę2007 - 2008, www.linux-archive.org